Restrict OWA for external access by ADFS 3.0 after business hours

Similar Messages

• Disable OWA for External Site

  Dear Expert,
  I just implemented Exchange Server 2013, I have the request from management team. They already used OWA and Mobile on Internal,
  but they would like to disable OWA and enable mobile when user stay outside the office.
  Please advice

  Hi,
  Do you mean you want to know how you can block or disable external OWA for exchange users without affecting internal OWA and external ActiveSync for them?
  If it is, here are the steps you can use to block all users to access OWA externally.
  1. Create a new website only for ActiveSync service. Ex: (New-WebSite -Name TestSite -Port 80 -HostHeader TestSite -PhysicalPath "$env:systemdrive\inetpub\testsite").
  2. Assign new IP address to that website.
  3. Create ActiveSync virtual directory in the new website Ex: (New-ActiveSyncVirtualDirectory -WebSiteName "TestSite" -ExternalURL http://www.contoso.com/mail -InternalURL http://contoso/mail).
  4. Assign certificate to the new website.
  5. Don’t create OWA and ECP virtual directory in the new website.
  6. On the firewall NAT the public IP address to internal IP address assigned to new website.
  7. Use Default Website for internal outlook web access(Without External URL settings and no public IP address for the default site).
  Alternatively, we can keep the default web site for external access of ActiveSync and external OWA disabled. Then create a new Web Site for Internal OWA-ECP using. For more details about this method, please refer to:
  http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks,
  Winnie Liang
  TechNet Community Support

• How to create db conn for JDBC-ODBC Bridge for MS Access in ADF APP?

  Sir,
  How to create db conn for JDBC-ODBC Bridge for MS Access in ADF APP?
  Regards

  Hello Every Body!
  I succeeded in getting connect to the ms access database in adf application in jdeveloper as below:
  First in control panel to to admin tools and  go to data source(odbc) and create system dsn as bellow pic
  Then go to jdeveloper resources ide conn and then database and new database conn and then select jdbc-odbc briddge and then give custom jdbc url as bellow pic
  Cheers
  tanvir

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Restrict data to after Business hours only...

  hi all,
  I am trying to ascertain how many services calls are logged to a particular workgroup made after business hours i.e. after 6.00 pm(18:00hrs) and before 7am (07:00hrs), each day for past 2 months.
  so how do i restrict the data only between these times.
  i am confused as 7.00am fall on the next day early morning.??? thus data is restricted to from 6 in evening to 7:00 hrs next day in morning.
  any inputs or ideas will be highly appreciated mate..
  regards
  abhi.

  Use a record selection formula that ONLY pulls times (hopefully you have a date time field) that are between 6pm and midnight OR between midnight and 7am.

• I bought download Adobe Premier elements last year. It is on my old computer which is not powerful enough.  I have a new computer that is, I bought and upgrade for $69 but have got no where after several hours.  what do I do

  I bought download Adobe Premier elements last year. It is on my old computer which is not powerful enough.  I have a new computer that is, I bought and upgrade for $69 but have got no where after several hours.  what do I do?

  What are you trying to do?  What actions are you taking?  What happens when you try?

• ADFS setup for external access

  Hi all, I would like to setup ADFS for the following scenario below:
  Internal intranet:
  URL: https://intranet.acme.com
  domain: ACME
  ACME domain users: Acme\johndoe
  External Vendor:
  domain: ABC
  ABC domain users: ABC\lucysmith
  Goals: allow external vendor users ABC domain access internal intranet
  https://intranet.acme.com via SharePoint-ADFS
  Questions:
  1. Do I need to setup ADFS on both ACME & ABC domain or just one side? If it is one side, then which one - ACME or ABC?
  2. When I setup SharePoint web application for
  https://intranet.acme.com, will this URL will be served for both internal and external users or do I have to extend it as different URL for external users?
           a. If
  https://intranet.acme.com served for both internal and external vendor users, will internal user get normal NT prompt for authentication or it will redirect to ADFS login page just like external user?
           b. If we need to extend web application for external vendor user, let's say
  https://abcexternal.acme.com, will we only need to config adfs for this extended web application so external vendor user will get adfs redirect login where internal user got NT prompt for authentication?
  Thanks

  Hello
  1) you would  need to setup ADFS on ABC and configure SharePoint to consume their ADFS token
  2) I would recommend enabling a default zone for NTLM and extend that to use for your ADFS users (intranet)
  MCITP-EA | "Never test how deep the water is with both feet"

• Configure security realm for external Access Manager in App server 8.1

  Hi All,
  I would like to protect my j2ee application using access manager running on an external host.
  I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
  external host & port of AM is:
  http://svrd234d.dnn.com.au:58765
  Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
  classname="com.sun.amagent.as.realm.AgentRealm"
  property name="jaas-context" value="agentRealm"
  property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
  property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

  Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
  If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
  Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
  Jerry

• Batch program to restrict PERNRS for read access to an infotype

  Hi,
    Is there any standard program that can be used to restrict a list of PERNRS for read access to a particular infotype for a certain amount of time?
  The requirement is to restrict IDs(except batch ID) to change/create any time data in IT 2001/2002 while doing infotype load as well as postload hour balancing activities.
    We dont want to lock out the PERNR or USERID for mantaining any other infotype data at the same time.
  Appreciate all your suggestions!
  -Sujit

  Hi  ,
  Actually it was  nice Question  , the  answer  was very  straight .
  1. please  copy the  profile  role  of  the HR PERSONAL DATA   which will have full  authorise for all  infotype's , in that  give active only to 'Display' for  infotype  2001/2002 . and you can tell to  basis  which  ever infotype  want to be the similar   action  . so that your  problem will  be solved. 
  2.SAP basis  person  knows  how to  give  only 'Display'  active , and  make  ( Create , Delete ) to  inactive.
  3.So ,finally the latest  role should  be assigned  to  group of  PERNRS  ,Even this  is  also basis  work  . he can group all the  PERNRS  or  by  personal area  or  by personnal  sub area  or  by  employee group  or  by  employee sub group .
  Girish

• The "sign in" button does not appear and my library, account, etc. don't launch automatically upon launch. What am I doing wrong? Thanks for any help you can provide. (After two hours of trying to find a way to contact Apple on this issue, I gave up.)

  Hi. I am really frustrated with Apple support. After two hours of trying to navigate their support site, I finally gave up. I really hope someone here will be kind enough to help me find a solution to my problem.
  My iTunes always launched with my account, my library, etc. present. Now it launches in a generic form with none of my information present. It also has no "sign in" area so I can get to my data. I'm not sure what happened, can anyone help?
  Thanks so much for any assistance you can offer.
  Joe

  I've not noticed this but haven't looked for it either - I suspect you are seeing 'normal' behaviour for AppleTV 2/3 - in other words it's ignoring the iTunes flags.
  With AppleTV 1 I used to set playback start/end times using Get Info in iTunes for certain self-indulgent music videos I'd bought which had several minutes of 'acting dialogue' you'd only endure once - this allowedme to shuffle music videos with only the song part of the video being played not all the waffle before the song started.  AppleTV 2 and 3 ignore this setting.
  Also, with AppleTV1 if you unticked the check box next to stuff you never wanted to stream AppleTV would behave as expected and not display it at all - useful for preventing non-family friendly material from streaming in the first place or  excluding seasonal material and do forth.  AppleTV 2/3 completely ignore the checkboxes on iTunes ans stream everything though you can of course enable parental controls.
  Hard to know if it's the AppleTV's ignoring the info or iTunes not sending it to them in the first place.
  Either way send feedback to Apple here:
  Apple - Apple TV - Feedback
  They won't answer but it may get put on a 'to do' list if enough users complain.
  I'm still waiting for AppleTV 2/3 to handle iTunes LP and iTunes Extras!
  AC

• Port forwarding for external access to VNC server on multiple machines

  I will have 10 PCs connected to the WRT54GL wireless AP. I am testing with 1. It has a static addresses 10.155.22.51. It is running a VNC server at port 5951.
  If I  set my VNC client up to access 10.155.22.51:5951 it works through the WRT54GL wireless AP.
  I set the WRT54GL port forwarding to 5951 - 5951, set the IP address to 10.155.22.51 and enable. The external address of the AP is 10.155.0.29 on the company LAN.
   So I set the VNC client to access the AP address with the VNC port, i.e. 10.155.0.29:5951. I expect the AP to change the address to 10.155.22.51:5951. This does not work.
  Note: the problem could be that the AP is going through NATting because I can also access it at 10.155.22.9 along with all the other PCs on that LAN, i.e. I can access the LAN directly from elsewhere on the company net.

  You can try changing the IP of the AP manually ... connect it to the Computer  ..... access the setup page using http://192.168.1.245  .... use password as admin ....
  Configure the IP settings first ...
  Again login with new IP address .... configure wireless settings .....
  Power down the AP & then the router ....
  Wait for few minutes .... then power on the router ...first then the AP ...

• How to use SMIME in OWA for External Recipeints

  Hello,
         I am using a hybrid on premises active directory with office 365 environment with AD synced to office 365 using DIRSYNC. We are trying to achieve being able to send encrypted emails to clients using SMIME in OWA. We have
  used certutil to import certificates for some internal users which seems to let you send an encrypted email to them. However when creating a contact in AD for the external user and successfully importing the cert (you can see it in the userCertificate and
  userSMIMECertificate attribute in the object)  we are unable to email the recipient with an encrypted email as OWA cannot find the certificate. Also the internal users certificates appear in theirs entries in the GAL however the external contacts
  do not have their certificate included.
  Could someone advise me how to use OWA to send SMIME encrypted emails to external recipients. You can't add a certificate to a contact in OWA as far as I can see.
  Many Thanks
  Paul

  Hi,
  Please refer to the following article :
  http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/
  Using S/MIME in OWA
  In OWA, users can choose different options to encrypt the message and/or digitally sign it using S/MIME.
  Hope this helps!
  Thanks.
  Niko Cheng
  TechNet Community Support

• Setting Up Time Capsule for External Access

  Hello all,
  I am trying to set up my Time Capsule to be accessed without local Wi-Fi. I can use Back to My Mac to access the Time Capsule from my iMac, but not from my iPhone as Back to My Mac isn't intergrated into iOS. I use File Browser on my iPhone to access my TC from LAN, and it seems likely the TC can also be accessed through 4G using File Browser, too.
  My first question is, can the Time Capsule be accessed through the internet (by port forwarding or something)?
  Second question if the first is possible, how do I do so? (step by step instructions please)
  I have the latest model of Time Capsule and AirPort Utility.
  Thanks!
       - Noah

  Filebrowser can be used to remotely access the TC.
  There are instructions in the filebrowser website.. have you tried those?
  http://www.stratospherix.com/support/gsw_timecapsule.php?page=6remote
  The one area where I think you might have issues is global domain name.. as that has been problematic.
  You really need a static public IP from your ISP for this to be successful.
  See Tesserax doco on remote access especially the global domain instructions.
  https://discussions.apple.com/docs/DOC-3413
  There is a hugely better method BTW..
  Buy a vpn router and substitute that for the Time Capsule.. which can then be bridged behind the router.
  VPN client is built into iOS and every mainline OS available. It is robust and has far superior security.
  Note carefully the method you are going to use with iphone is opening your TC to attack. They have hidden the SMB port, but in reality.. any hacker will one day do a port scan on you and find it open.. no matter what port it is translated to.. at that point your password will be the only thing stopping access to outsider.. and they can often get around that.. or mount Man in the Middle type attack, since passwords in SMB are not secure.
  Not that I think a hacker is going to waste their time doing it.. but it is just so you know.. it is fundamentally wrong. 

• How to create a networkdrive for external access?

  i am using an iMac with a time capsule. There is an internet access availbale. the iMac and time capsule are connected via WLAN.
  now I would like to create a network drive which can be accessed from the internet either by my laptop or iPad and iPhone.
  what do i have to do to create this access?
  Please peovide some inside.
  Thank you

  i am using an iMac with a time capsule. There is an internet access availbale. the iMac and time capsule are connected via WLAN.
  now I would like to create a network drive which can be accessed from the internet either by my laptop or iPad and iPhone.
  what do i have to do to create this access?
  Please peovide some inside.
  Thank you

• Trying to open port 8080 in WRT400N for external access

  Hi,
  I have tried everyhting I can find and I still can't get it open.
  I verified no port 8080 is in use with the "netstat -a" trick
  I got a router checker that verifies I have only one router.
  I got a free app that tells me the port is not open.
  I turned Comodo off .
  Once I start up Calibre I see this in 'netstat;
        Protocol     main address      Foreign Address
          TCP          0.0.0.0:8080              MAIN-PC:0               Listening
  *IF* MY 'public IP" is 98.93.123.456 -
  *IF* I had my stuff fixed would outsiders use 98.93.123.456:8080 to get to the server?
  I set Single Port Forwarding to 8080  8080 Both 192.168.1.106 (Enabled)
  I set Port Range Forwarding to the very same
  I set Port Range Trigger ing to 8080 to 8080,  8080 to 8080
  I can't figure out anything else to do?
  Any help would be appreciated
  Thanks

  @NO_SCREENNAME@ wrote:
  The closest thing to the wording I saw was "Filter Anonymous Internet Requests" and I unchecked it.
  I changed the port to 8081 everywhere I had it 8080 before
  If there is a number I should use let me know (I am noob in this stuff.)
  So nothing has changed.
  I can bring up the logon if I am on the same computer as Calibre and that's as far as it goes.
  Should I have my computers IP in the places I listed or the routers IP?
  OK I just tried that and the router told me "No"...grasping at straws I guess.
  We are making headway ...any more things to check?
  Thanks guys
  If you forward the port, and the online port scanner shows that the port is closed still odds are that the application on the PC that you are trying to forward to is not running, also it could still be a firewall running on the PC.
  1. Confirm the Router is getting a public IP address, if it is getting a private the device in front will need to be forwarded. (Your router is getting public IP)
  2. Confirm the Router has the correct ports forwarded; also be sure to know if it is TCP or UDP.
  3. Confirm the Application is running on the PC
  4. Make sure no firewalls running.
   After that you should be good just does the test in DOS (For example: public IP address followed by a single space and then the port number). The command would connect you to a web server running on port 8080. You will not see anything in the DOS window; usually what will happen if you connect is the screen will just go entirely black (if it’s successful). If the port is closed it will tell you that it cannot create a connection.